My (now former) insurance company, BlueCross Blue Shield, would accept my new password, but then would reject me from using it because it failed one of these parameters (probably length). It took me several iterations before I figured this out. Why didn’t the site reject my new password immediately and tell me of the rules?
1 Like
I thought I pasted the Javascript code into the body of my message.
Roger D. Parish
Lovettsville, VA
Yes. More generally, the issue is a field that has unspecified formatting requirements. For crying out loud, tell me what the expectation is; don’t assume I format things the way the programmer does!
Sorry I can’t help with the missing bookmarklet for Safari and Chrome. In Firefox, type about:config in the URL field, accept the warning, and search for the dom.event.clipboardevents.enabled switch. Setting to false will sometimes enable pasting.
Yes, been there. As I said above, tell me what the expectation is. I’m not at the web site to solve a mystery.
This is more than an annoyance – it’s a serious security flaw as it penalizes those using password managers. If my password is 20 random characters, it’ll take me forever to type it in manually (including a few errors unless I’m really careful). Therefore I probably will use a crummy password instead, which defeats good security.
I literally won’t do business with companies that won’t allow pasted passwords.
1 Like
I am fairly certain that the thinking is that the companies don’t want to have to deal with support calls/emails from people who copy and paste a password into both fields without properly saving it. The vast majority of people who are creating new accounts on web sites are not as sophisticated as we are, and I am sure that these companies have dealt too many times with people who created accounts, copied and pasted passwords into both fields, and then either forgot to or mistakenly didn’t actually save the password somewhere. Making people type it at least once, with both fields matching, is probably thought to prevent that from happening in a lot of cases.
It is annoying, and it’s too bad that these sites do this, but I always find a way to get the password typed in properly.
I hardly see this behavior anymore - I think it used to be a lot more common.
Thank you. From the docs I see that:
dom.event.clipboardevents.enabled lets websites get notifications if the user copies, pastes, or cuts something from a web page, and it lets them know which part of the page had been selected. The emitting of the oncopy, oncut and onpaste events are controlled by this preference.
Firefox is my browser of choice at the moment, and that doesn’t sound as if it’s likely to break anything, so I will give it a go.
You may well be right. But then if you have somewhere to copy it from that means you have at least written it down somewhere, which is mostly better than trusting to memory.
That’s interesting. I came across one of these just the other day, hence my rant. I agree that they are not common, but I don’t know whether the situation has changed over the years.
As others have said, spot on! I’d add:
- We have accepted your 25-character password without flagging an error, but we’ve silently chopped n characters off the end. Now go count those dots!
I do think more sites these days are set up to handle sensible passwords, though. I generally use 25 characters with digits and the full set of punctuation, and don’t often have problems. Still, it’s a royal pain when it does happen. Password rules for the top few thousand websites would be a handy thing to build into a password manager, perhaps, if one could design a bot to do that?
2 Likes
In America. What about country domains? .uk for example
I’ve long used k@pegley.com my default email address. Some systems aren’t happy with the single letter before the @. British Telecom for example refuse to accept its validity
There are places that have a difficult time accepting those too. I have a friend from Israel who has a Hebrew Israeli email address, a backup Israeli English email address, and a Gmail one as a backup for the backup.
There are certain things you should not validate but programmers do. I think my favorite one was a website that refused to take someone’s birthdate because he was over 70 years old. It only took a two digit year and insisted his birth year was 30 years in the future.
For a long time, all area codes in the US had only a 1 or a 0 for a middle digit. This is because the first three digits of a phone number never had a 1 or a zero as a middle digit. You dialed 903-543-1234, and the phone system could figure out 903 was an area code. You dialed 543-1234, and it could figure out 543 wasn’t an area code, but an exchange. I’m surprised I’ve never run into a website that insisted 437-304-1234 wasn’t a valid American phone number because it broke “the rules”. However, there are plenty of websites that only take 10 digits for a number even though some countries have 11 digits.
It even happened to me with my private .us address (certain websites don’t accept it).
BT has a great many peculiar and annoying behaviours when it comes to spam control!
Thas ok. For Lowes I prefer the 5% discount I get with a Lowes branded credit card. I’ll deal with no Apple Pay.
Because the account signup used a password module written 10 years ago. And the actually sign on system was written last year using the new authentication module. The signup module is scheduled to be re-do next year. And since it “works”,
what is the hurry?
My wife works for a major airline as a product owner at their HQ. Nuff said.
This was a major problem for a decade or so staring in the 80s as the old fixed numbering system was abandoned.
For a long time in the US all (well sort of kind of maybe) pay phone had numbers of the format aaa-bbb-99xx
As we started to run out of number woe be to you if you got one of these for your home or business. All kinds of issues with calling cards, collect calls, 3rd party calls, whatever.
And they did away with the military discount!
I don’t believe that to be true at all. They did change things up by requiring that you validate your service, but the web site still has this page https://www.lowes.com/mylowes/login?context=military
I used to just be able to show my military ID, but now you are required to create an account and give them email address, phone, etc. I said “You just lost my business” and now only shop Home Depot. Of course this was couple of years ago so maybe Lowes has returned to just accepting military ID cards but that link still requires creating accounts. BTW, I wonder how long it will take for them to add the 8th Uniformed Service to the list on that site.
The only wy to deal with issues like this is to cancel the order. When you get the inevitable spam “how did we do” survey, fill it out with the lowest scores and state the reason.
I still run into companies that claim ‘+’ is invalid in an email address. I don’t do business with those companies.
I note these issues that people have raised but they pale with the issues we non-Americans have when dealing with US web sites and their online forms.
There is a strange US-based belief that everywhere else uses the same formats with dates (confused months), addresses, state/province (just two characters), zip/post codes, phone numbers (often restricted to US format), mobile/cell phone numbers (mostly restricted to US format), email and web addresses and more.
Getting an American product delivered to an overseas address is made uncertain because of distortions and contortions caused by mandatory settings of various contact fields on American online sites.
I can’t understand why this is so given that quite a bit of programming of website is done outside the US and they must realise the different ways this sort of data is formatted. Maybe they are directed by their US bosses to follow American styles.
For some reason American fashion and clothing online companies do well. It is American computing and software sellers that are the most perverse in having stupid online forms.
But then there is the big baddie - “Fall”. Only in the US is “Fall” used to denote the autumn season. That’s ok if the market is the US, but there’s plenty of US companies selling to the rest of the world and they keep using “Fall” to say when a product is being released, etc. “Fall” is six months adrift for people in the Southern Hemisphere. Tidbits is an offender although it has lifted its game.